Command line tool that will encrypt ssm secrets locally via AWS KMS and uploads encrypted data to ssm.
- You create a secrets file on your local machine. Example.
{
"secrets": [
{
"Name": "/super/secret/parameter",
"Value": "42",
"Type": "SecureString",
"Overwrite": true
}
]
}For parameter options see boto 3 put parameter docs
- Encrypting the file locally
python -m ssmu -e -k {kms_id} -f path/to/file/{unencrypted_file.json} -s {stage} --o path/to/save
will output a file named secret.{stage}
- Upload the encrypted file to ssm
python -m ssmu -u -k {kms_id} -f path/to/file/secret.stage -s stage
Note: Windows and linux \ vs /
Note: Tags are not required, but if you do include them, then the key values are required
{
"Name": "String [REQUIRED]",
"Description": "String [NOT REQUIRED]",
"Value": "String [REQUIRED]",
"Type": "String'|'StringList'|'SecureString [REQUIRED]",
"KeyId": "String [NOT REQUIRED]",
"Overwrite": "BOOLEAN [NOT REQUIRED]",
"AllowedPattern": "String [NOT REQUIRED]",
"Tags": [
{
"Key": "String [REQUIRED]",
"Value": "String [REQUIRED]"
}
],
"Tier": "'Standard'|'Advanced'|'Intelligent-Tiering' [NOT REQUIRED]",
"Policies": "String [NOT REQUIRED]",
"DataType": "String [NOT REQUIRED]"
}{
"secrets": [
{
"Name": "/this/is/super/secret",
"Value": "shhhh",
"Type": "String"
}
]
}{
"secrets": [
{
"Name": "/this/is/super/secret",
"Value": "shhhh",
"Type": "SecureString"
}
]
}{
"secrets": [
{
"Name": "/this/is/super/secret",
"Value": "shhhh",
"Type": "String"
},
{
"Name": "/this/is/another/secret",
"Value": "hmmmm",
"Type": "SecureString",
"Tags": [
{
"Key": "Project Name",
"Value": "Project X"
}
]
}
]
}Note: You cannot used Overwrite and tags in the same call. You should either add tags on first creation, or add / remove tags later on.
{
"secrets": [
{
"Name": "/this/is/super/secret",
"Value": "new secret",
"Type": "String",
"Overwrite": true
},
{
"Name": "/this/is/another/secret",
"Value": "hmmmm",
"Type": "SecureString",
"Tags": [
{
"Key": "Project Name",
"Value": "Project X"
}
]
}
]
}